Critical Command Injection in Fortinet FortiSIEM
Critical Command Injection in Fortinet FortiSIEM
Summary
CVE-2025-64155 is a critical command injection vulnerability in Fortinet FortiSIEM, affecting versions 6.7.0 through 7.4.0. This vulnerability allows unauthenticated attackers to execute arbitrary code or commands via crafted TCP requests, potentially leading to full system compromise. Public exploit code is available, increasing the risk of exploitation.
Affected Systems and/or Applications
The following versions of Fortinet FortiSIEM are affected:
- FortiSIEM 6.7.0 through 6.7.10
- FortiSIEM 7.0.0 through 7.0.4
- FortiSIEM 7.1.0 through 7.1.8
- FortiSIEM 7.2.0 through 7.2.6
- FortiSIEM 7.3.0 through 7.3.4
- FortiSIEM 7.4.0
FortiSIEM 7.5 and FortiSIEM Cloud are not affected.
Instances are exploitable when the following condition is met: Network access to the FortiSIEM phMonitor service, which listens by default on TCP port 7900
You can also use the following Nessus plugin to test your Fortinet FortiSIEM to see if this is vulnerable.
Technical Details
The vulnerability is due to improper neutralization of user-supplied input in the phMonitor service, which listens on TCP port 7900. This service is responsible for health monitoring and task dispatching. The phMonitor service is used internally by FortiSIEM components to exchange data and commands and is present across all common deployment architectures. This service exposes a large set of command handlers that can be invoked remotely without authentication.
The flaw allows attackers to inject commands and write arbitrary files, which can be executed with root privileges. Specifically, the vulnerability arises when handling storage configuration requests with the storage type set to elastic, allowing argument injection into a curl command. This allows an unauthenticated attacker to write arbitrary files to arbitrary locations on the FortiSIEM appliance in the context of the FortiSIEM admin user. By overwriting binaries or scripts that are executed on a recurring basis, the attacker can achieve reliable remote code execution.
Mitigation
Fortinet has released patches to address this vulnerability. Affected users should upgrade to the following fixed versions:
- FortiSIEM 6.7.11 or later
- FortiSIEM 7.1.9 or later
- FortiSIEM 7.2.7 or later
- FortiSIEM 7.3.5 or later
- FortiSIEM 7.4.1 or later
If immediate patching is not possible, it is recommended to:
- Restrict network access to the phMonitor service on TCP port 7900 using firewall rules.
- Ensure FortiSIEM services are only accessible from trusted administrative networks.
What the Cyber Fusion Center is Doing
The Cyber Fusion Center (CFC) is actively monitoring the situation and will issue advisory updates as needed.
References
- Fortinet Security Advisory: FG-IR-25-772
- Horizon3.ai Technical Writeups:
- Tenable Blog on CVE-2025-64155: Tenable Blog
.webp)